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DERIVED FROM: NSA/CSSM 1-52 
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What is XKEYSCORE? 



1. DNI Exploitation System/Analytic Framework 




2. Performs strong :[e.g. email) and soft (content) selection 



3. Provides real-time target activity (tipping 

4. '"Rolling Buffer" of ~3 days of ALL unfiltered data seen by 
XKEYSCORE: 

• Stores full-take data at the collection site - indexed by meta-data 

• Provides a series of viewers for common data types 

5. Federated Query system - one query scans all sites 

• Performing full -fake allows analysts to find targets that were 
previously unknown by mining the meta-data 
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Methodology 



• Small, focused team 

• Work closely with the analysts 

• Evolutionary development cycle (deploy early, deploy often) 

• React to mission requirements 

• Support staff integrated with developers 

• Sometimes a delicate balance of mission and research 
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• Massive distributed Linux cluster 

• Over 500 servers distributed around the world 

• System can scale linearly - simply add a new 
server to the cluster 

• Federated Query Mechanism 
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Query Hierarchy 
















1 1 









Query 




F6 HQS 




Query 



FORNSAT site 



SSO site 



F6 Site 1 



F6 Site 2 
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Approximately 150 sites 



Over 700 servers 
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General Capability 




Processing Speed 
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Why do shallow 



• Can look at more data 

• XKEYSCGRE can also be configured to 
go shallow if the data rate is too high 
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Why go deep 




• Strong Selection itself give us only a very 
limited capability 

® A large amount of time spent on the web is 
performing actions that are anonymous 

• We can use this traffic to detect anomalies 
which can lead us to intelligence by itself, or 
strong selectors for traditional tasking 
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-> [processing engine] ■> (database) 4 > (user queries) 

phone numbers 
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log ms 



Plug-ins extract and index metadata into 
tables 



[sessions] 



!> email addresses 




[Pltogj-iin] 


©ESC^XPTIOM 


E-mail Addresses 


Indexes every E-mail address seen in a session by 
both username and domain 


Extracted Files 


Indexes every file seen in a session by both 
filename and extension 


Full Log 


Indexes every DNI session collected. Data is 
indexed by the standard N-tupple (IP, Port, 
Casenotation etc.) 


H'..""P Parser 


Indexes the client-side H““"P traffic (examples to 
follow) 


Phone Number 


Indexes every phone number seen in a session e.g. 
address book entries or signature block) 


User Activity 


Indexes the Webmail and Chat activity to include 
username, buddylist, machine specific cookies etc. 
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What Can Be Stored 




Anything you wish to extract 



Choose your metadata 



Customizable storage times 



• Ex: HTTP Parser 



FM IP 58. 



TO IP 64. 



get ^sea rch? hi =en&q =i si amabad&metal= http/1 : 0 

Tccepfn mage7giT7i riiageTx^x^T^rriap , image/ jpeg, image/pjpeg, appl ication/vnd. ms 
appl icat ion/ m iswo r xLapplica t ion/x-s hoc kwave-f 1 ash , * /* 

,eVe rer: http://www.google.com . pk/ | 

ALLBp L * L A li y U AljB . CTfTl ' S 1 " — 



Use r-Aa ent: Mozi 11 a/4.0 (compatible; MSIE b.U; Windows NT b.i; 
Host: www.google.com. 



WITH 



Vi a : 1.0 p roxy ]_ 
X-Forwarded-For : 

Connection: keep-alive 



f6 :TM=116^5Q34S3 : LM= 
t8080 (squid/2. 5 . STABLE13 



3 :S=KKzZb3kPcw4vNxGt 
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Finding Targets 



• How do I find a strong-selector for a known 
target? 

• How do I find a cell of terrorists that has no 
connection to known strong-selectors? 

• Answer: Look for anomalous events 

• E.g. Someone whose language is out of place for the 
region they are in 

• Someone who is using encryption 

• Someone searching the web for suspicious stuff 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



) 10 01 IWI 
1 00 1 I 00 1 i oo ► 






I not i mi lac 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



41 II 



o 




Encryption 




rin r.Hh ra lnwh r-irvl- 



ft Trifii Wn-n/j |_ftp 

S ' & ■ H | g S & S I 8 E % 



a ^ I <5 ■ <?> i 





2 | 4rj.-.i Rmri-n 


t .I hf' t I 


a 


/ ii 1 = 


-=- 


r 


m ■ L : 


■■&■■■■:■■■ 


3 


X 






H |Q,|I t 

4 i ^ 1 - - | 



i ■ 



s: □- 



Show me all 1 



documents fr 



Show me all 



Once again - 
forwarding tf 



No strong-se 



Can perform 
query, then « 



i) i&U 1 * <J J 1 ? 

f J 0 1 f 1 J J J J J-J-JiLS J W 1 Li 
gif! fjf j jJ f ji iff 'j£ Ci.y*V- 



' I .■«+ _ P J I .V * . 1 



Enter Password 



*J 



Pdii'iAiurd 

Confirm 



OK 



Cancel 



Help 



JW ji 4 



r^LiCJ' u 



tJ 1 



u 



iJ* a Ji 



Jl J 1 j j^J 1 j JO 1 JJ 1 <jHS> J 1 j £jl J * J j u 1 * -(J 5 

, U ji I f bijJjl JI Om i J LlL 1 

J_i « jj£ /* J 1 * (JJ ^ J 1 ^ 0 Jf J 1 * 

J » j tyu 14 f Jj jJ i" J.s ; J j ?* ^ 1 ^ij^) u jO 1 (5 

- 1 u J mjj-u * JJ jf 

0 u 1 < 3 h 3 '* +*j£ ■ i 
j i j 0 i Ji £ .* 

i I J 4 dl Ji 0 £ 4JJ £ I J 'i if £ u£l jJI £jaji LijJ^ .£ 
*1 ^ 1 J J * J j 3 JI -V ji ®l JI Jf I Jl ul ^£ 7 - 

.0 J a I JI f^Jjl 0 f 0 JI ^ JJ &f*Jl If! JW 

/ J r*^ J’ 1 ' L *^ 1 

f j ^3 JI “L; 1 0 J 1 od 1 * j J ^ J i JI j A I tj J JI 
jl (i^^l OJ^0 (15UIMIU) I i£jl ^1 J I ^ 

. L 1 f J 

■u^J 1 “ J 1 j J jJ! j^HiS J *“! jj ^kJr J f j 1 J J id£ £ : 



from site as required 



















TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 




TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 

Technology Detection 



• Show rne all the VPN startups in 
country X and give me the data so I 
can decrypt and discover the users 

• These events are easily browsable in 
XKEYSCORE 

• No strong-selector 

• XKEYSCORE extracts and stores authoring 
information for many major document types - can 
perform a retrospective survey to trace the 
document origin since metadata is typically kept for 
up to 30 days 

• No other system performs this on raw unselectecl 
bulk traffic, data volumes prohibit forwarding 
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Persona Session 








• Traditionally triggered by a strong-selector 
event, but it doesn't have to be this way 

® Reverse PSC - from anomalous event back to 
a strong selector. You cannot perform this 
kind of analysis when the data has first been 
strong selected. 

• Tie in with Marina - allow PSC collection after 
the event 
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• My target speaks German but is in 
Pakistan - how can I find him? 

• XKEYSCORE s HTTP Activity plugin extracts 
and stores all HTML language tags which 
can then be searched 

• Not possible in any other system but 
XKEYSCORE, nor could it be - 

• volumes are too great to forward 
o No strong-selector 
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No strong-selector 



Data volume too high to forward 
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Ml images are hashed in the metadata 
that you can search for anyone who has 
received or transmitted this document. 

This is really useful for company logos. 
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Multiple dictionaries targeted at speciric data 'types 
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• Show me all the exploitable machines in 
country X 

• Fingerprints from TAO are loaded into 
XKEYSCORE s application/fingerprintID 
engine 

• Data is tagged and databased 

• No strong-selector 

• Complex boolean tasking and regular 
expressions required 
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XKEYSCORE Success 









Stories 













TOP SECRET/ /COMINT//REL TO USA, AUS, CAN, GBR, NZL 










■ 




I 







■ ■■ ^ — "" — 

* » > ■ * « i ■ ¥ ■ * * m 

TOP SECRET/ /COMINT//REL TO USA, AU5, CAN, GBR, NZL 






TOP SECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 





TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 




XKEYSCORE and TRAFFICTHIE 
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• Customer: CounterTerrorism (CT) 

• Provides near real-time tips to TRAFFICTHIEF server in operations in 
coordination with coalition forces in Iraq 24 hours a day 

• Currently producing hundreds of confirmed alerts per day on over 
3000 user accounts 
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May 2006 , ¥tfealthy€H Lister 2 and X- CCEYSCOIRE 
Installed at 



•Connected to Moonshine 

• Er a 3le J processing of wireless collection 

• Enabled near-real-time tipping 

• Enabled full-take SR£DEV 



Un-locatalble catfds were geoloceted 
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• Four Other Cafes Being Developed 



Acqu red im porta n t targets: 

• MSA/Georgia Tips Woth Precise Locations 
•JSOC Tools In 



• Reacquired 




Lost When Zarkanet Went Down 



Terrorists were captured 
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Innovation 



• High Speed Selection 

• Toolbar 

• Integration with Marina 
® GPRS WLAN integration 

• SSO CRDB 

• Workflows 

• Multi-level Dictionaries 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL 



Future 



• High speeds yet again (algorithmic and Cell 
Processor (R4)) 

• Better presentation 

• Entity Extraction 

• VoIP 

• More networking protocols 

• Additional metadata 

• Expand on google-earth capability 

• EXIF tags 

• Integration of all CES-AppProcs 

• Easier to install/maintain/upgrade 
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